stealer malware Archives

Winsage

November 25, 2025

JackFix Uses Fake Windows Update Pop-Ups on Adult Sites to Deliver Multiple Stealers

Cybersecurity experts have identified a new campaign that combines ClickFix tactics with counterfeit adult websites to trick users into executing harmful commands under the guise of a "critical" Windows security update. This campaign uses fake adult sites, including clones of popular platforms, as phishing mechanisms, increasing psychological pressure on victims. ClickFix-style attacks have risen significantly, accounting for 47% of all attacks, according to Microsoft data. The campaign features convincing fake Windows update screens that take over the user's screen and instruct them to execute commands that initiate malware infections. The attack begins when users are redirected to a fake adult site, where they encounter an "urgent security update." The counterfeit Windows Update screen is created using HTML and JavaScript, and it attempts to prevent users from escaping the alert. The initial command executed is an MSHTA payload that retrieves a PowerShell script from a remote server, which is designed to deliver multiple payloads, including various types of malware. The downloaded PowerShell script employs obfuscation techniques and seeks to elevate privileges, potentially allowing attackers to deploy remote access trojans (RATs) that connect to command-and-control servers. The campaign has been linked to other malware execution chains that also utilize ClickFix lures. Security researchers recommend enhancing defenses through employee training and disabling the Windows Run box to mitigate risks associated with these attacks.

Tech Optimizer

November 16, 2025

TikTok malware scam tricks you with fake activation guides

Cybercriminals are exploiting TikTok to deceive users by presenting malicious downloads as free activation guides for popular software, including Windows and Microsoft 365. Security expert Xavier Mertens identified this campaign, which involves TikTok videos showcasing PowerShell commands that mislead users into executing them as administrators. These commands redirect users to a malicious website, downloading Aura Stealer malware that extracts saved passwords, cookies, and other sensitive information. This scam employs a ClickFix attack, making victims believe they are following legitimate instructions. The PowerShell command links to a remote domain, slmgr[.]win, which retrieves harmful executables hosted on Cloudflare, including updater.exe, a variant of Aura Stealer. Another file, source.exe, executes code in memory, complicating detection. To protect against these scams, users should avoid executing commands from TikTok, download software from trusted sources, keep security tools updated, use strong antivirus software, consider data removal services, reset credentials if compromised, use unique passwords, and enable multi-factor authentication.

Tech Optimizer

September 25, 2025

LastPass: GitHub hosts atomic stealer malware campaign

Cybersecurity researchers have identified a malware campaign targeting Mac users, with attackers creating fraudulent GitHub pages to distribute an infostealer known as Atomic Stealer (AMOS). The campaign was first detected on September 16, 2025, involving pages that falsely claimed to offer LastPass software. Users are misled into clicking links that redirect them to malicious sites, where they are prompted to execute a command that installs malware on their systems. The attackers impersonate reputable companies and use multiple GitHub usernames to avoid detection, employing SEO techniques to rank their malicious links higher in search results. LastPass is actively monitoring the situation and working on takedowns. Users are advised to download software only from official sources, avoid executing commands from unknown sites, keep software updated, use antivirus protection, enable regular backups, and be cautious of unexpected links and emails.

Tech Optimizer

September 22, 2025

Gamers Warned as BlockBlasters Patch Installs Malicious Software

BlockBlasters, a 2D platformer-shooter developed by Genesis Interactive, was removed from Steam after a late-August patch introduced malware that compromised players' sensitive information. The update, released on August 30, contained harmful components identified by security firm G DATA as a sophisticated operation aimed at stealing personal data. The malware, initiated by a file named game2.bat, collected data such as IP location and Steam login credentials, transmitting it to a command-and-control server. The malicious sequence included additional scripts that targeted browser extensions and cryptocurrency wallets. Over 100 players downloaded the compromised build, with reports of infections during gameplay. Following these revelations, BlockBlasters was flagged as "suspicious" and removed from the platform. Players are advised to uninstall the game and conduct antivirus scans.

Winsage

August 18, 2025

Windows 11 24H2 Security Update Causes SSD/HDD Failures and Potential Data Corruption

A significant security update from Microsoft, Windows 11 24H2 (KB5063878), is causing issues for users, making SSDs and HDDs inaccessible and potentially corrupting user data. Users have reported installation failures with error code 0x80240069, and despite a hotfix, the update has led to storage drives disappearing from the Windows environment, particularly during large sequential write operations. Recovery attempts are often unsuccessful, putting user files at risk. Microsoft has not provided an official fix, and users are advised to avoid the update and ensure routine data backups. Unplugging and reconnecting the affected drive may temporarily restore visibility but does not guarantee data safety.

Tech Optimizer

July 8, 2025

This dangerous Mac malware just got a major upgrade which makes it even harder to delete — how to stay safe

An updated variant of the Atomic Stealer malware is targeting Mac users, capable of stealing sensitive information such as keychain passwords, local files, browser cookies, credit card details, and cryptocurrency assets. This malware can establish a backdoor on compromised Macs, making them vulnerable to further attacks. It operates on a malware-as-a-service model, allowing cybercriminals to subscribe for a monthly fee. The malware includes a hidden backdoor executable named ‘.helper’ and a persistent wrapper script ‘.agent’, which executes continuously and is activated each time the infected Mac is powered on. The primary distribution channels for this malware are cracked software and spear phishing campaigns. Users are advised to avoid unauthorized software downloads and minimize personal information shared online to reduce the risk of infection. Additional antivirus solutions are recommended for enhanced protection against sophisticated threats.

AppWizard

June 22, 2025

Counterfeit Minecraft mods deliver malware

A series of sophisticated cyberattacks using ACR Stealer-based Amatera Stealer malware have been executed as part of ClearFake web injection campaigns between April and May. These campaigns utilize advanced techniques, including EtherHiding to obscure malicious activities, targeting smart contracts on the Binance Smart Chain for unauthorized access, and ClickFix Exploitation to manipulate user interactions for executing harmful scripts.

AppWizard

June 19, 2025

Minecraft cheat tools may actually contain malware

Trojanized cheat tools for Minecraft hosted on GitHub have been found to install malware that extracts sensitive information from players. Check Point Research identified around 500 GitHub repositories involved, potentially compromising about 1,500 devices. This operation, active since March, is linked to Russian-speaking malware developers from the Stargazers Ghost Network. The malware, disguised as cheat tools like Oringo and Taunahi, initiates a multi-stage attack requiring Minecraft to be pre-installed. It first installs a malicious JAR mod that evades detection, then proceeds to steal Minecraft tokens, Microsoft account information, and data from platforms like Discord and Telegram. The final component captures credentials from web browsers, cryptocurrency wallets, VPN applications, and gaming platforms, sending the stolen data to a Discord webhook.

Winsage

May 22, 2025

Microsoft says Lumma password stealer malware found on 394,000 Windows PCs

Microsoft, in collaboration with law enforcement, has taken legal action against the Lumma malware operation, which has affected over 394,000 Windows PCs globally, particularly in Brazil, Europe, and the United States. A federal court authorized the seizure of 2,300 domains used as command and control servers for Lumma, and the Justice Department confiscated five additional domains related to its infrastructure. Lumma is primarily spread through questionable games or cracked applications and extracts sensitive information such as logins, passwords, credit card details, and cryptocurrency wallets, which is then sold to other cybercriminals. Lumma also facilitates the deployment of additional malware, including ransomware, and has been linked to significant cyberattacks on major tech companies like PowerSchool and Snowflake, resulting in substantial data theft.

Winsage

May 22, 2025

Microsoft says 394,000 Windows computers infected by Lumma malware

Microsoft announced the dismantling of the Lumma Stealer malware project in collaboration with global law enforcement. Over 394,000 Windows computers were identified as infected by Lumma between March 16 and May 16. The malware is known for stealing sensitive information such as passwords and credit card details. Microsoft, with a court order, dismantled the web domains supporting Lumma's infrastructure, while the U.S. Department of Justice took control of its central command structure. More than 1,300 domains were seized or transferred to Microsoft, with 300 acted upon by law enforcement and Europol. Other tech firms like Cloudflare and Lumen assisted in this effort. Since 2022, hackers have been acquiring Lumma through underground forums, and it has been used in phishing campaigns and attacks on various sectors, including gaming, education, and critical infrastructure.